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ICO consultation on the draft right of access 
guidance 


The right of access (Known as subject access) is a fundamental right 
of the General Data Protection Regulation (GDPR). It allows 
individuals to find out what personal data is held about them and to 
obtain a copy of that data. Following on from our initial GDPR 
guidance on this right (published in April 2018), the ICO has now 
drafted more detailed guidance which explains in greater detail the 
rights that individuals have to access their personal data and the 
obligations on controllers. The draft guidance also explores the 
special rules involving certain categories of personal data, how to 
deal with requests involving the personal data of others, and the 
exemptions that are most likely to apply in practice when handling a 
request. 


We are running a consultation on the draft guidance to gather the views 
of stakeholders and the public. These views will inform the published 
version of the guidance by helping us to understand the areas where 
organisations are seeking further clarity, in particular taking into 
account their experiences in dealing with subject access requests since 
May 2018. 


If you would like further information about the consultation, please 


email SARguidance@ico.org.uk. 


Please send us your response by 17:00 on Wednesday 12 February 
2020. 


Privacy statement 


For this consultation, we will publish all responses received from 
organisations but we will remove any personal data before 
publication. We will not publish responses received from respondents 
who have indicated that they are an individual acting in a private 
capacity (e.g. a member of the public). For more information about 
what we do with personal data see our privacy notice. 


Please note, your responses to this survey will be used to help us with 
our work on the right of access only. The information will not be used to 
consider any regulatory action, and you may respond anonymously 
should you wish. 


Please note that we are using the platform Snap Surveys to gather 
this information. Any data collected by Snap Surveys for ICO is 
stored on UK servers. You can read their Privacy Policy 


Qi Does the draft guidance cover the relevant issues about the right 
of access? 


AQ1. No, we do not believe the draft guidance cover the relevant issues about the right of 
access. 


By way of background, we (the ‘Firm’, ‘The Claims Guys’) work in the field of Financial Services. We are 
regulated by the FCA 


Our primary objective and day to day business activity, is to act on behalf of consumers who believe they 
may have suffered some form of financial detriment from financial organisations. Note, a large majority 
of our clients may have had numerous products with numerous Banks/ lender/ mortgage providers etc. 
collectively referred to as ‘financial organisations’. 


The Rules brought forth by the Regulator within the Claims Management Conduct of Business Sourcebook 
(CMCOB), require that we investigate the existence and merits of a Claim before pursuing the Claim, or 
advising a client to pursue a Claim. A key element of satisfying this obligation is to ascertain that a valid 
relationship with a financial organisation existed. 


Whilst we offer a number of different claims services to our clients, our primary focus has been and 
continues to be, PPI. Over the years we have proudly garnered a very smooth, concise and efficient 
process with the support of financial organisations in order to complete a PPI Check, without the need to 
request a full Subject Access Request (SAR). We achieved this by creating a ‘short form’ process, which 
ensured that we were able to minimize the data we held, as well as increasing efficiencies for both our 
firm and the financial organisations we work with. 


For c. 18 months, we have been offering our clients a new claims service; facilitating litigated claims 
under s.140A of the Consumer Credit Act 1974, due to the unfair relationship created by financial 
organisations failing to disclose high-level commissions they earned from the sales of insurance referrals 
notably, PPI policies. These are commonly referred to as ‘Plevin Claims’, named after the Claimant in the 
Supreme Court case of Plevin v Paragon Personal Finance Ltd. 


The level of information required to substantiate a Plevin Claim, is increased in comparison to that of a 
PPI Claim. However, we strongly believe that this to can be facilitated by a ‘short-form’ process. We have 
made continued efforts with financial organisations to establish short-form processes, but have yet to 
have such a process successfully implemented. 


As a result, and as part of our service agreement to our clients, we currently submit a SAR request to 
the financial institution in question. Pursuant to Chapter 2 of the Data Protection Act 2018, we ensure 
our clients are aware of the information we intend to request from the financial organisation 
(transparency) and ensure we limit the SAR’ to the information we require in order to assess the merits 
of any potential claim (data minimisation). 


In recent times, our approach to regain information on behalf of our clients has become fractured with 
resistance from certain financial organisations on what they will and will not provide, despite our best 
efforts to be clear and transparent. We note, within the draft paper; that there is reference to the 
‘behavior of a third party’ and the fact that this should ‘not be taken into account’; yet we would like to 
see more clarification around controllers obligations in relation to third parties acting on behalf of data 
subjects where valid consent has been given, and the service is something in which they have opted in 
for. 


Specifically, we believe it would be beneficial for you to implement/provide elaborated guidance on the 
following subjects: 


Continued............. 


1) How a Controller should respond to a SAR made by a third-party on behalf of a data subject 
Relevant section: Can a request be made on behalf of someone? (Page 10/11) 


This section correctly takes into account the data subject’s rights over their data and their preferences, i.e. 
enacting a third party to work on their behalf, and pursuant to Chapter 3, s.52 (6) of the Data Protection 
Act 2018: The controller must facilitate the exercise of the rights of the data subject under sections 45 to 
50. 


On page 11, it states: In most cases, provided you are satisfied that the third party has the appropriate 
authority, you should respond directly to that third party. However, if you think an individual may not 
understand what information would be disclosed, and in particular you are concerned about disclosing 
excessive information, you should contact the individual first to make them aware of your concerns. 


We note that this is unchanged from the Right of Access guidance that is currently in place. 


We would like to highlight that we support the right of the controller to contact a data subject directly and 
request information needed to progress an information request. Unfortunately, we are finding that some 
financial organisations are disregarding the ICO’s guidance and forwarding all SAR responses directly to 
Clients. This approach is taken universally without giving due consideration to the preferences of the Client 
or making any attempts to contact the Client. This blanket approach ignores our Clients’ express requests 
and subsequently causes unnecessary inconvenience to our Clients. 


When challenged, financial organisations have referred us to a piece of ICO correspondence dated 12 
September 2018, which does not appear to have been widely publicised. The correspondence named a Mr 
Neil Wadsworth, who works within your organisation. We approached Mr Wadsworth for comment and were 
referred to this consultation. 


We would request that you elaborate on this section of the guidance and provide clarity as to in what 
circumstances the privately expressed opinion of one of your employees would be seen to supersede publicly 
published guidance? 


2) The ICO’s position on data subjects’ providing authority for a third-party to make a SAR on their 
behalf, via an electronically signed Letter of Authority. 


Relevant sections: Can a request be made on behalf of someone? (Page 10/11), Do we have to respond to 
requests made via a third party online portal? (Page 12/13), Can we ask for ID? (Page 19/20) 


A number of financial organisations are opting not to accept SARs we make on behalf of our Clients where 
the Client has signed their Letter of Authority electronically. We believe it would be beneficial for the ICO to 
make their position on the validity of electronic signatures clear, given the report on the electronic execution 
of documents published by the Law Commission on 4 September 2019. The report, based on the provisions 
of the eIDAS Regulation (eIDAS), the Electronic Communications Act 2000 (ECA 2000) and case law relating 
to electronic signatures concluded that an electronic signature is capable in law of being used to execute a 
document. 


The provision of more comprehensive guidance about the point we raised under 1) would also assist in this 
matter - as above, it is our understanding that if a controller has concerns about the authorisation provided 
by a data subject, they should make attempts to contact the data subject rather than simply declining the 
SAR. 


Q2 Does the draft guidance contain the right level of detail? 


O Yes 
X No 


O Unsure/don’t know 
If no or unsure/don't know, in what areas should there be more detail 
within the draft guidance? 


Notwithstanding our answer to Q1. 


eee your introduction statement on: https: arent org.uk/about-the-ico/ico-and-stakeholder- 
-the- 


uidance/ you make the following 


roa: 
“The draft guidance also explores the special rules involving certain categories of personal data” 


On review of the draft guidance, we don’t believe that due consideration is given to certain 
categories of data; the draft fails to highlight any distinction between special category data and 
personal data and instead bundles them all together in a very high-level way. The rules around 
special category data mean the storage of such information is stricter, not to mention the retention 
of such and then the release of any such data back to the individual. We believe breaking down 
each data type into subcategories as well as the inclusion of examples would be most beneficial. 


Q3 Does the draft guidance contain enough examples? 


O Yes 
No 
O Unsure/don’t know 


If no or unsure/don’t know, please provide any examples that you 
think should be included in the draft guidance. 


We would like to see more examples, particularly around controllers’ obligations in relation to third 
parties acting on behalf of data subjects. 


Q4 We have found that data protection professionals often struggle with applying and 
defining ‘manifestly unfounded or excessive’ subject access requests. We would 
like to include a wide range of examples from a variety of sectors to help you. 
Please provide some examples of manifestly unfounded and excessive requests 
below (if applicable). 


N/A 


Q5 Ona scale of 1-5 how useful is the draft guidance? 


1 - Not at all 2 - Slightly 3 - Moderately 4 - Very useful 5 - Extremely 
useful useful useful useful 
O O xX] O O 


Q6 Why have you given this score? 


We find the draft guidance very similar to the guidance already in existence. It may be useful to 
highlight the new examples/ text of the draft along with a rationale as to why the ICO believes the 
importance of any such changes. 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Disagree Neither agree nor Agree Strongly agree 
disagree disagree 
O O X O O 


Q8 Please provide any further comments or suggestions you may have about the draft 
guidance. 


Q9 Are you answering as: 


QO An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

O An individual acting in a professional capacity 

X On behalf of an organisation 

O Other 


Please specify the name of your organisation: 


The Claims Guys 
What sector are you from: 


Financial Services 


Q10 How did you find out about this survey? 


ICO Twitter account 
ICO Facebook account 
ICO LinkedIn account 
ICO website 

ICO newsletter 

ICO staff member 
Colleague 


P< le gð 


Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 
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Thank you for taking the time to complete the survey 


